SAP Cyber Threat Intelligence report – March 2019

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

The set for March 2019 consists of 17 security notes.

This month, Missing Authorization Check is the most common vulnerability type.

SAP NetWeaver ABAP platform has most of all vulnerabilities fixed this month.

SAP Security Notes – March 2019

SAP has released the monthly patch update for March 2019. This set has 17 SAP Security Notes. Two notes are updates to the previous security note release. The highest CVSS base score is 8.7 out of 10. Three notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Below is a chart that illustrates the SAP security notes distribution by priority.

One of two updates received Hot News priority rating. The most severe security issue was assessed at 8.7 by the CVSS base score.

This time, Missing Authorization Check has become the largest group in terms of the number of vulnerabilities.

SAP Security Notes Distribution by Vulnerability Type – March 2019

Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform, as a pie chart shows below.

Affected Platforms – March 2019

SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.

Critical issues closed by SAP Security Notes in March 2019

The following SAP Security Notes can fix the most severe vulnerabilities of this update:

2764283 SAP HANA Extended Application Services have an XML External Entity vulnerability (CVSS Base Score: 8.7; CVE-2019-0277 ). An attacker can use an XML External Entity vulnerability to send specially crafted unauthorized XML requests which will be processed by an XML parser. The attacker can use it for getting unauthorized access to OS filesystem.

2689925 SAP NetWeaver Java Application Server has a Cross-Site Scripting (XSS) Vulnerability (CVSS Base Score: 7.6; CVE-2019-0275). An attacker can use a Cross-Site Scripting vulnerability for injecting a malicious script that will help access critical information stored by the browser and used for interaction with a site.

2736825 ABAP Server has a Denial of Service via XML External Entity (XXE) vulnerability (CVSS Base Score: 8.3; CVE-2019-0271). An attacker can use an XML External Entity vulnerability to send specially crafted unauthorized XML requests which will be processed by an XML parser. The attacker can use it for getting unauthorised access to OS filesystem.